b'                                            UNCLASSIFIED\n\n               MEMORANDUM REPORT 01-IT-M-039\n    MORE GUIDANCE AND OVERSIGHT CAN IMPROVE BROADCASTING\n            BOARD OF GOVERNORS\xe2\x80\x99 WEB SITE PRIVACY\n                          May 2001\n\n       In response to requirements of Section 646 of the Treasury and General\nGovernment Appropriations Act, 2001 (Public Law 106-554), the Office of Inspector\nGeneral conducted a review of Internet privacy management at the Broadcasting Board of\nGovernors. This report focuses on the Broadcasting Board of Governors\xe2\x80\x99 practices\nregarding the collection of personally identifiable information through the use of\n\xe2\x80\x9ccookies\xe2\x80\x9d1 and other means on its public web sites.\n\n        Specific objectives of our review were to (1) identify the Broadcasting Board of\nGovernors\xe2\x80\x99 policies and procedures for managing its Internet web sites in accordance\nwith Federal guidance, (2) determine whether the Broadcasting Board of Governors\xe2\x80\x99 web\nsites use or have entered into third-party agreements concerning the use of cookies, and\n(3) determine whether all of the Broadcasting Board of Governors\xe2\x80\x99 major web entry\npoints have privacy statements posted that adequately reflect what, if any, personal\ninformation is collected on the web sites and how that information is used. In addition,\nduring the course of our review, we examined the Broadcasting Board of Governors\xe2\x80\x99\nstructure for managing its web sites and ensuring Internet privacy organizationwide.\n\nRESULTS IN BRIEF\n\n         The Broadcasting Board of Governors has become increasingly reliant on the\nWorld Wide Web to deliver multimedia news and information to international audiences\nand to inform the public about its activities and services. The Broadcasting Board of\nGovernors maintains four public Internet web sites, but has not developed policies to\nensure that the sites are managed in accordance with Federal privacy guidelines\nprescribed by the Office of Management and Budget (OMB). Specifically, the guidelines\nrestrict the use of persistent cookies on Federal Internet sites without compelling need,\nagency head approval, and posted notices to advise the public of any information\ncollected on the sites and how that information is used. Cookies are a typical means of\ncollecting personal data on Internet sites, often without the site visitors\xe2\x80\x99 awareness.\n\n       In the absence of an agency policy to help ensure web privacy, we found two\ninstances in which the Broadcasting Board of Governors used persistent cookies on its\nweb sites without required authorization. Further, one of the four sites that we reviewed\nhad no privacy statement and therefore no means of advising users of any information\n\n1\n A cookie is a small text file placed on a site visitor\xe2\x80\x99s computer hard drive by a web server. A cookie\nallows a server to recognize returning users, track online purchases, or maintain and serve customized web\npages. A cookie also facilitates the collection of personal information, such as extensive lists of previously\nvisited sites, e-mail addresses, or other information to identify or build profiles on individual site visitors.\n\x0ccollected on the site. We found no evidence that cookies or any other unauthorized\nmeans were used to collect personally identifiable information on the agency\xe2\x80\x99s public\nweb sites.\n\n        The Broadcasting Board of Governors recognizes that it needs to develop web\nprivacy policies to help ensure compliance with Federal Internet management guidelines.\nAgency officials informed us that they recently began to develop a policy directive to\nensure compliance with Federal guidelines for Internet privacy management within the\nInternational Broadcasting Bureau. The International Broadcasting Bureau is responsible\nfor governing web management throughout the Broadcasting Board of Governors.\n\nBACKGROUND\n\n        Rapid innovations in technology in recent years offer increasing opportunities for\nthe Federal Government to improve the quality of information and service that it provides\nto U.S. citizens and world audiences. The World Wide Web, also known as the Internet,\nhas emerged as a powerful tool for communicating large amounts of information on\nFederal activities, policies, and programs. At the same time, however, the Internet has\nmade it possible for web sites to track and collect personally identifiable data2 from site\nvisitors, making online privacy one of the key and most contentious issues in this\ninformation management age.\n\n         Internet cookies are a principal means by which web sites can collect personal\ninformation from site visitors, often without the visitors\xe2\x80\x99 knowledge or consent. There\nare two types of cookies\xe2\x80\x94\xe2\x80\x9csession cookies\xe2\x80\x9d and \xe2\x80\x9cpersistent cookies.\xe2\x80\x9d Session cookies\nare short-lived, used only during a single browsing session, expire when the user quits the\nbrowser, and consequently do not raise privacy concerns. Persistent cookies track\ninformation over time or across web sites. They remain stored on visitors\xe2\x80\x99 computers\nuntil a specified expiration date and can be used to collect information, such as a visitor\xe2\x80\x99s\nareas of interest and individual browsing habits. Persistent cookies may raise the public\xe2\x80\x99s\napprehension about what information is collected and how it could be used.\n\n        The full potential of the Internet to help improve Federal services cannot be\nrealized until U.S. citizens are confident that their online privacy will be safeguarded.\nRecognizing this, and building on principles established by the Privacy Act of 1974\n(5 USC 552a) and the Paperwork Reduction Act of 1995 (Public Law 104-13), the U.S.\nGovernment has recently taken steps to help ensure the privacy of visitors to Federal web\nsites. Specifically, over the past 2 years, OMB issued guidance that establishes the U.S.\n\n\n\n\n2\n Personally identifiable data includes an individual\xe2\x80\x99s name, e-mail address, postal address, telephone\nnumber, Social Security number, or credit card number.\n\n\n\n                                                                                                         2\n\x0cGovernment policy for the use of cookies on department and agency public web sites.3\nTaken together, the OMB guidance directs that Federal web sites and contractors\noperating web sites on behalf of Federal agencies should not use persistent cookies on the\nweb sites unless they provide clear and conspicuous notice of those activities and meet\nthe following conditions: (1) a compelling need to gather the data on the site, (2)\nappropriate and publicly disclosed privacy safeguards for handling information derived\nfrom cookies, and (3) personal approval by the head of the agency. The OMB guidance\nfurther exempts Federal use of session cookies from these requirements.\n\nPURPOSE, SCOPE, AND METHODOLOGY\n\n         Section 646 of the Treasury and General Government Appropriations Act, 2001,\ndirects all Inspectors General to report on their respective agencies\xe2\x80\x99 practices to collect\nany personally identifiable information from their public Internet sites. Such information\ncould be collected either on an agency\xe2\x80\x99s web sites or through third-party agreements. In\nresponse to the Act, the Office of Inspector General conducted a review with the specific\nobjectives of (1) identifying the Broadcasting Board of Governors\xe2\x80\x99 policies and\nprocedures for managing its Internet web sites in accordance with Federal guidance, (2)\ndetermining whether the Broadcasting Board of Governors\xe2\x80\x99 web sites use or have entered\ninto third-party agreements concerning the use of cookies, and (3) determining whether\nall of the Broadcasting Board of Governors\xe2\x80\x99 major web entry points have privacy\nstatements posted that adequately reflect what, if any, personal information is collected\non the web sites and how that information is used.\n\n        To fulfill our review objectives, we researched procedures used at the\nBroadcasting Board of Governors to govern Internet privacy in accordance with Federal\nlaws and regulations. We met with officials from organizations throughout the\nBroadcasting Board of Governors to learn how they manage their public Internet sites\nand whether they collect any personal information on the Internet via cookies, third-party\nagreements, or other electronic means. We also tested the four Internet sites that we\nidentified within the Broadcasting Board of Governors to determine if cookies are used\nand whether privacy statements are posted to advise of such practices.4 Where necessary,\nwe followed up with responsible officials to obtain explanations of their web\nmanagement practices and plans for corrective actions.\n\n       Appendix A provides details on our methodology for testing the Broadcasting\nBoard of Governors\xe2\x80\x99 Internet sites. As a part of this approach, we did not examine every\npage on a web site, but rather spent a limited time navigating through each site to look for\n\n3\n The OMB guidance includes (1) Memorandum M-99-18, Privacy Policies on Federal Web Sites, June 2,\n1999, (2) Memorandum 00-13, Privacy Policies and Data Collection on Federal Web Sites, June 22, 2000,\nand (3) a letter from the Administrator, OMB Office of Information and Regulatory Affairs, to the Chief\nInformation Office, Department of Commerce, September 5, 2000, clarifying the previously issued\nguidance.\n4\n We did not include issues related to management of the Broadcasting Board of Governors\xe2\x80\x99 internal\nIntranet sites in our review.\n\n\n\n                                                                                                      3\n\x0ccookie indicators. We also relied on discussions with web management officials to learn\nabout third-party agreements or other practices to collect information on public web sites.\nTo validate our treatment in the report of Internet management practices that the officials\ndescribed, we obtained comments on a draft of the report from organizations that\nparticipated in our review. We have incorporated their comments and suggested changes\nwhere appropriate and have included a copy of the comments at Appendix B.\n\n        We conducted our review from January to April 2001 at the Broadcasting Board\nof Governors in Washington, DC. We met with officials from the International\nBroadcasting Bureau, including the Associate Director for Management and officials\nfrom the Office of Internet Development. We conducted this work in conjunction with a\nsimilar review of Internet privacy management at the Department of State.5 We\nperformed our work in accordance with generally accepted government auditing\nstandards. Major contributors to this report were Frank Deffer, Sondra McCauley, and\nJohn Shiffer. Comments or questions about the report can be directed to Mr. Deffer at\ndefferf@state.gov or at (703) 284-2715.\n\nAUDIT FINDINGS\n\nINTERNET PRIVACY GUIDANCE NEEDS TO BE ESTABLISHED\n\n        At the time of our review, the Broadcasting Board of Governors had not\nestablished agencywide policies for managing its public Internet sites in accordance with\nFederal web site privacy guidelines. Without such policies, the Broadcasting Board of\nGovernors is limited in its ability to ensure that its bureaus and offices, as well as\ncontractors operating web sites on behalf of the agency, are aware of, and in compliance\nwith, Federal restrictions on the use of Internet cookies and requirements for posting web\nprivacy and security notices.\n\n        Although the Broadcasting Board of Governors has no Internet privacy policies in\nplace, the agency has developed Web Style Guide and Design Specifications for one of its\nweb sites\xe2\x80\x94www.voanews.com. This style guide outlines the elements that, when\ncombined, create a user-friendly, distinctive web design. The style guide is to be used\nwhen adding new pages, features, or information to the web site. However, this guide\ndoes not meet Federal requirements for establishing web site privacy management\npolicies.\n\n        Broadcasting Board of Governors officials agreed with our concerns that guidance\nneeds to be developed to ensure oversight and compliance with Federal Internet privacy\npolicies. We provided officials with a sample copy of guidance developed by the\nDepartment of State, which specifically outlines restrictions on cookie use and requires\nthat privacy statements be posted to Internet sites. Broadcasting Board of Governors\nofficials informed us in mid-April 2001 that they had taken initial steps toward\ndeveloping their own web privacy guidelines.\n\n\n5\n    Departmentwide Web Site Management Needs to be Strengthened, (01-IT-M-017, March 2001)\n\n\n                                                                                             4\n\x0c           Recommendation 1: We recommend the Broadcasting Board of Governors\n           direct the International Broadcasting Bureau to develop and implement policies\n           consistent with Federal web site guidelines prescribed by the Office of\n           Management and Budget.\n\nWEB SITES DO NOT COLLECT PERSONALLY IDENTIFIABLE DATA\n\n        The Broadcasting Board of Governors does not use its Internet sites to collect\npersonally identifiable information on site visitors without their awareness. Our review\nidentified two unauthorized uses of persistent cookies on the Broadcasting Board of\nGovernors\xe2\x80\x99 web sites; however, the cookies were not used to gather personal data on site\nvisitors. The web site managers have been informed and are currently taking steps to\neither remove or seek the Broadcasting Board of Governors\xe2\x80\x99 approval for the two\npersistent cookies that we discovered during our review. The Broadcasting Board of\nGovernors has other processes to collect web statistics, trend data, or log files for security\npurposes, but these processes also are not used to track individual users over time. Given\nrecent legislation and ongoing discussions within the Broadcasting Board of Governors\nabout potentially using the Internet to conduct electronic business, consideration may\nhave to be given in the future to possibly using cookies or other means to collect personal\ninformation on web site visitors.\n\nCookies Generally Not Used on Broadcasting Board of Governors Web Sites\n\n        The Broadcasting Board of Governors generally does not use cookies on its public\nweb sites. We found that of the four sites that we visited and tested, in only two instances\nwere persistent cookies used.6 We found these persistent cookies on the\nwww.voanews.com/macedonian and www.ibb.gov/marti web pages. The web managers\nof both web pages told us that they did not know that persistent cookies were being used.\nThe managers are currently taking steps to either remove the persistent cookies that we\ndiscovered during our review or seek the required approval for their continued use.\n\nPersistent Cookies Not Used to Collect Personal Data on Web Visitors\n\n         In both instances where we found use of unauthorized persistent cookies, we\nfound no evidence that the cookies were used to collect personal data on site visitors.\nSpecifically, on the www.voanews.com/macedonian web pages that had a cookie, web\nmanagers used a web site development tool, called ColdFusion. This tool automatically\nuses persistent cookies, which provide a convenient way to maintain user preferences\n(i.e., graphics display, screen color, etc.) as a user navigates from one web page to\nanother during a site visit. The user\xe2\x80\x99s preferences are automatically removed from\nmemory when the user\xe2\x80\x99s session ends. The web manager for this site stated that he was\nunaware that ColdFusion automatically uses persistent cookies. The Office of Internet\nDevelopment is trying to determine whether the persistent cookie we identified can be\nchanged into a session cookie. If this is not possible, the office will seek approval from\nthe Broadcasting Board of Governors to continue to use the cookie on the site.\n6\n    A web site may include hundreds of pages. A cookie could be used on any of the pages.\n\n\n                                                                                             5\n\x0c        We notified officials responsible for the www.ibb.gov/marti web page that we had\nfound a persistent cookie on the web site. We requested an explanation about the cookie\nand advised that the organization must either remove the cookie from its web site or seek\nagency head approval for its continued use. Web officials were unaware that their third-\nparty web tracking service used a persistent cookie. The cookie was used to count the\nnumber of hits received on the web site. Web managers notified us on April 11, 2001,\nthat they had removed the cookie from the site.\n\nOther Methods for Handling Personally Identifiable Data on Broadcasting Board of\nGovernors Web Sites\n\n        OMB guidelines permit several other ways in which personal data may be\nhandled on Broadcasting Board of Governors web sites. For example, for audit and\nsecurity purposes, the Broadcasting Board of Governors web sites generate log files of\nwhen their sites are visited. The log files do not record information on individual web\nusers. Rather, they include information such as Internet protocol addresses,7 time frames,\nand Internet service providers used to access web sites. For example, when a visitor\nconnects from America Online to a Broadcasting Board of Governors web site, the web\nmanagement system will generate information about the visitor\xe2\x80\x99s web domain (aol.com)\nand the date and time of the visit. The logs are amassed in large files that are stored and\nsecured for 6 months, after which time they are destroyed. In case of computer security\nincidents, such as hacker intrusions or denials of service, the logs are turned over to\nsecurity officials for investigation. The Broadcasting Board of Governors also uses the\nlogs to determine web trends, create summary statistics on what information is of most\nand least interest, or identify systems performance or problem areas. Commercial\nsoftware programs are available to facilitate the ability of systems administrators to view\nand analyze the logs.\n\n        There are other ways in which personal data might be handled on Broadcasting\nBoard of Governors web sites. For example, a visitor to an agency web site might\nprovide personal information in an e-mail message sent through the site. When this\noccurs, the Broadcasting Board of Governors uses any information the visitor provides\nonly as a means of responding to the message. Further, the Broadcasting Board of\nGovernors might also collect personally identifiable data through questionnaires,\nfeedback forms, or other means on its public web sites. In these instances, individuals\nvoluntarily provide the personal information to the Broadcasting Board of Governors; the\ninformation is not collected on the web site without the individuals\xe2\x80\x99 knowledge. We\nfound that no unauthorized ways of handling personal information were used\xe2\x80\x94either\ndirectly or through third-party agreements\xe2\x80\x94on the Broadcasting Board of Governors web\nsites that we reviewed.\n\n\n7\n  An Internet protocol address is a series of numbers used to identify a computer on the Internet. When\ntransferring data from one computer to another, both the sending and receiving Internet protocol addresses\nare attached to the data packet to allow two-way communications.\n\n\n\n                                                                                                         6\n\x0cPotential Need for Persistent Cookies in the Future\n\n        Although current Federal guidelines restrict cookie use, senior Broadcasting\nBoard of Governors officials told us that it might be necessary in the future to use cookies\non Internet web sites in order to improve the quality of service to the public. For\nexample, Section 1704 of the Government Paperwork Elimination Act8 requires that by\n2003, executive agencies provide options for the electronic maintenance, submission, or\ndisclosure of information, when practical, as a substitute for paper. To comply with the\nlaw, agencies may find it necessary to use cookies on their web sites. Currently,\nBroadcasting Board of Governors web sites deliver multimedia news and information to\ninternational audiences and inform the public about agency activities. However, in the\nfuture, the agency may wish to allow users to customize their view of agency web sites to\ndisplay only specified information. Cookies may be needed to remember the user\npreferences.\n\n      Recommendation 2: We recommend that, in accordance with established Federal\n      guidelines, the Broadcasting Board of Governors direct all bureaus and offices to\n      inspect their web sites to identify any persistent cookies and either remove the\n      cookies or request agency head approval for their continued use.\n\nPRIVACY STATEMENTS NOT CONSISTENTLY POSTED\nON AGENCY WEB SITES\n\n        We found that Broadcasting Board of Governors web sites do not always comply\nwith Federal requirements for posting privacy notices on their Internet sites. The privacy\nstatements are intended to advise site visitors of what information the agency collects\nabout individuals, why the agency collects it, and how the agency will use it. The general\npractice is to provide a link on the initial home page that provides a central location for\nvarious disclaimers and legal notices to cover the web site as a whole. Additional privacy\nnotices are also needed wherever information is collected from the public on the web site.\n\n        However, as of early March 2001, one of the four Internet web sites we reviewed\n\xe2\x80\x93 monitor.ibb.gov \xe2\x80\x93 had no privacy statement and therefore no means of advising users of\nany information potentially collected on the site. The web manager stated that he was\nunaware of the requirement to post a privacy statement and agreed to take corrective\naction.\n\n        Since web managers of the two web pages that had persistent cookies were\nunaware of the cookies\xe2\x80\x99 existence, managers did not address cookie use in their privacy\nstatements. Their privacy statements did, however, outline web site policies for\ncollecting and storing information on visitors to the web sites for statistical purposes. In\naddition, any information that is provided by visitors through the web sites in the form of\ne-mails, questionnaires, feedback forms, or others means is used to improve customer\nservice and is not transferred to any third parties. As discussed above, none of the\npersistent cookies identified were used to track or collect personal data on individual site\n\n8\n    Government Paperwork Elimination Act, 44 USC 3504, October 1998.\n\n\n                                                                                           7\n\x0cusers. The agency stated in its written response to the draft report that it would update\nthe web privacy policy on the www.voanews.com site to advise visitors about cookie\nusage on the site.\n\n       Recommendation 3: We recommend that the Broadcasting Board of Governors\n       direct all agency bureaus and offices to examine their web sites to ensure that\n       complete and up-to-date privacy statements are posted, or appropriately linked to\n       privacy statements on the primary agency web site, advising site visitors of any\n       cookie use or of any personally identifiable data that is collected, stored, or used\n       by the web site for any purpose.\n\nAGENCY COMMENTS AND OUR EVALUATION\n\n        The Broadcasting Board of Governors provided written comments on a draft of\nthis report. A copy of the agency\xe2\x80\x99s comments is included as Appendix B. The\nBroadcasting Board of Governors concurred with all of our recommendations and agreed\nto take corrective action. Specifically, concerning Recommendation 1, on behalf of the\nBroadcasting Board of Governors, the Associate Director for Management of the\nInternational Broadcasting Bureau requested that the Office of Internet Development\ndraft a proposed agency policy directive consistent with Federal web site guidelines. The\nBroadcasting Board of Governors expects to implement these guidelines by August 1,\n2001, if not earlier.\n\n         Concerning Recommendation 2, the Broadcasting Board of Governors stated that\nit is inspecting its web sites to identify any persistent cookies used. The Office of\nInternet Development is studying whether the persistent cookie found on\nwww.voanews.com/macedonian page can be changed to a session cookie. In addition, an\naction memorandum has been drafted for signature by the agency head requesting\napproval to restrict use of cookies on the agency\xe2\x80\x99s public web sites to several specific\ncircumstances. In response to Recommendation 3, the Broadcasting Board of Governors\nhas agreed to update the privacy policy on the www.voanews.com web site to reflect the\npresence of a persistent cookie until the cookie can be removed.\n\n\n\n\n                                                                                              8\n\x0c                                                                                          APPENDIX A\n\n                              WEB SITE TEST METHODOLOGY\n\n\n         We reviewed the four Internet web sites that we identified within the\nBroadcasting Board of Governors from March 7 through March 30, 2001. Our review\nentailed navigating through the web pages within each site--generally spending 8 to 20\nminutes per site--to determine whether the site used cookies and posted a privacy\nstatement advising of this practice and any other automated activities to collect personal\ndata. To determine cookie use on the web site, we first had to change the security\nsettings on Microsoft\xe2\x80\x99s Internet Explorer so that the browser would prompt us if web sites\ntried to place cookies on our computer. For each web site visited, we printed a copy of\nthe site\xe2\x80\x99s home page, privacy statement, and any cookie notification9 that appeared. We\nalso examined the cookie notification to determine whether session or persistent cookies\nwere used. Figure 1 below provides an example of a persistent cookie notification.\n\n                  Figure 1: Sample Persistent Cookie Notification\n\n\n\n\n                 Because this cookie does not expire\n                 until 2037, it is a persistent cookie.\n\n\n9\n  Such cookie notifications do not adequately fulfill OMB requirements to post clear, conspicuous privacy\nstatements at major web entry points to reflect what, if any, personal information is collected on web sites\nand how that information is used.\n\n\n                                                                                                               9\n\x0c                                                                                   APPENDIX B\n\n                                  AGENCY COMMENTS10\n\n\n\n\n10\n  The draft report title, Broadcasting Board of Governors\xe2\x80\x99 Web Site Management Needs Improvement, was\nchanged for final publication to More Guidance and Oversight Can Improve Broadcasting Board of\nGovernors\xe2\x80\x99 Web Site Privacy.\n\n\n                                                                                                  10\n\x0c                              APPENDIX B\n\nAGENCY COMMENTS (continued)\n\n\n\n\n                                      11\n\x0cAPPENDIX B\n\n             AGENCY COMMENTS (continued)\n\n\n\n\n                                           12\n\x0c'